Browse Definitions:
Definition

gummy bear hack

A gummy bear hack is an attempt to fool a biometric fingerprint scanner by using a gelatin-based candy to hold a fingerprint.

Low-end optical fingerprint scanners can often be fooled with a simple image of a fingerprint, while more sophisticated devices check for characteristics such as electrical current and blood flow. As it turns out, however, the capacitance of gelatin is similar to that of a human finger. Furthermore, if a gelatin-based fingerprint is attached to a living finger, the method could fool those fingerscanners as well because the device would detect those characteristics through the clear gelatin.

The idea behind the gummy bear hack originated with 2002 research led by Japanese cryptographer Tsutomu Matsumoto. Matsumoto and his team used clear gelatin to make artificial fingers that they then used to fool fingerprint scanners. The gelatin-based finger was successful in fooling all 11 devices tested. Reporting on the experiment in the Crypto-Gram, security expert Bruce Schneier commented that gelatin is “the same substance gummi bears are made of.”

When some Australian schools began using fingerprint scanners as a “sign-in” method in 2010, there were media reports suggesting that students could fool the system using gummy bears. The suggested method was simple: impress your fingerprint into a gummy bear and then get an accomplice to put the gummy bear over his own finger to register your attendance. Although there have been many reports that gummy bears could be used in this manner, there are no reports of anyone actually doing so.

A group of students from Washington & Jefferson College’s Information Technology Leadership program attempted to test the theory. The students made fingerprint casts from a variety of substances, including not only gummy bears but also modeling clay, Play-Doh and Silly Putty and tested the casts against Microsoft's Fingerprint Reader and an APC Biometric Security device. Some of the substances held fingerprints better than the others but the gummy bears were not successful. From the class’s report:

None of us was able to get a gummy bear to hold a fingerprint, either on the flat back surface, or by tearing the gummy bear open and trying to create an impression on the softer interior. It was theorized that perhaps a superior quality of gummy bear, instead of the generic brand purchased, or a gummy candy with a large surface area would work better. But for the remainder of the experiment the gummy bears became simply a form of sustenance.

 

Learn more:

The original research report is “Impact of Artificial ‘Gummy’ Fingers on Fingerprint Systems.”

Here’s the report from the students at Washington and Jefferson College.

ZDNet Australia reported on a "Sweet bypass for student fingerprint scanner."

See how gelatin can be used to successfully defeat a fingerprint scanner in this Mythbusters video.

This was last updated in December 2010

Join the conversation

2 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

Big Bold Bears will work. They are the size of a finger and will hold the print. Slice them lengthways to make thinner gelatin so the scanners can detect current and blood flow through the gummy bear.
Cancel
Still, there's something ironically amusing about the idea of a high-tech security system possibly being undermined by a common candy item. I suppose Swedish fish would be too hard. <*))swedish))-{
Cancel

-ADS BY GOOGLE

File Extensions and File Formats

Powered by:

SearchCompliance

  • pure risk (absolute risk)

    Pure risk, also called absolute risk, is a category of threat that is beyond human control and has only one possible outcome if ...

  • risk assessment

    Risk assessment is the identification of hazards that could negatively impact an organization's ability to conduct business.

  • audit program (audit plan)

    An audit program, also called an audit plan, is an action plan that documents what procedures an auditor will follow to validate ...

SearchSecurity

  • insider threat

    Insider threat is a generic term for a threat to an organization's security or data that comes from within.

  • ransomware

    Ransomware is a subset of malware in which the data on a victim's computer is locked, typically by encryption, and payment is ...

  • hacker

    A hacker is an individual who uses computer, networking or other skills to overcome a technical problem.

SearchHealthIT

SearchDisasterRecovery

  • business continuity and disaster recovery (BCDR)

    Business continuity and disaster recovery (BCDR) are closely related practices that describe an organization's preparation for ...

  • business continuity plan (BCP)

    A business continuity plan (BCP) is a document that consists of the critical information an organization needs to continue ...

  • call tree

    A call tree -- sometimes referred to as a phone tree -- is a telecommunications chain for notifying specific individuals of an ...

SearchStorage

SearchSolidStateStorage

  • 3D XPoint

    3D XPoint is memory storage technology jointly developed by Intel and Micron Technology Inc.

  • RRAM or ReRAM (resistive RAM)

    RRAM or ReRAM (resistive random access memory) is a form of nonvolatile storage that operates by changing the resistance of a ...

  • JEDEC

    JEDEC is a global industry group that develops open standards for microelectronics.

SearchCloudStorage

  • Google Cloud Storage

    Google Cloud Storage is an enterprise public cloud storage platform that can house large unstructured data sets.

  • RESTful API

    A RESTful application program interface breaks down a transaction to create a series of small modules, each of which addresses an...

  • cloud storage infrastructure

    Cloud storage infrastructure is the hardware and software framework that supports the computing requirements of a private or ...

Close